Online logins are proliferating. Passwords abound. Password management has become something that requires more than a sticky pad and a pen. Much has been written about using unique passwords on different sites and rotating them at appropriate periods and whether it’s better to have a complex or compound password. But what about the security questions?
In an effort to provide additional authentication and control fraud, you are asked to enter the answer to some very personal questions.
- “What was your first car?”
- “What was the name of your first pet?”
- “How many times did you sneak out to visit your seventh grade girlfriend?” [ref]Trick question that reports to your parents[/ref]
- and the ever-present, “What is your mother’s maiden name?”
All of these knowledge-based questions are designed to implement an additional step of password authentication. Choosing from the triumvirate of something you know, something you have, or something you are, they provide another point of identity validation. While not truly two factor, it does provide additional authentication that someone didn’t just find on your sticky note.
But it dawned on me the other day, I don’t really have to respond with the actual answer. I know it sounds a bit dense. It kind of surprised me that it took this long to even contemplate this level of deception. The site asking doesn’t know if my elementary school was Kennedy or Reagan.[ref]It was neither, for those social engineering at home[/ref] They don’t know that my first car was blue. More importantly, I don’t have to try and remember who I thought my best friend in high school was or where my sixth birthday party occurred.
I’m free to answer the exact same thing on every site. Yes, I graduated from Snuffleupagus High School. Yes, the street I grew up on is named Snuffleupagus Drive. And yes, my favorite television character is Snuffleupagus. Ok, so maybe that last one actually makes sense. This aids in recall and ensures that you don’t get stuck wondering whether your favorite musician when you signed up was Justin Bieber or Harry Styles.
There are a few downsides to this method. You have limited the randomness of your answer. Once someone knows your security question answer, they know all of your security question answers. But while brute force attempts target passwords all the time, it is less likely that the security questions will allow the same repetition of guesses without timing out. There’s also less of a chance that someone is going to assume that you have answered the question with complete nonsense. Imagine the frustration on the face of someone intentionally targeting your account who’s done their homework and knows for sure that you were born at St. Francis in Topeka, KS while you answered with your stock security answer. Also, depending on the answer you choose, you might be making your customer service call more difficult. If you are like me and using a password safe, you might find your self using a generated password. You’ll need apologize in advance to the nice lady on the phone and then read off your 55 character complex passphrase.
Before you call your mom to find out what town her and your dad were in when they met, consider whether it’s necessary to factually answer the security question.